What type of security system gives you the most security? - Page 2
Page 2 of 2 FirstFirst 12
Results 11 to 20 of 20

Thread: What type of security system gives you the most security?

  1. #11
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    Quote Originally Posted by gore
    What if someone needs to set up a server cluster that can NOT be taken down, and needs to be locked farther than usual?

    Well with Windows that won't happen. Something is going to need an update and those all need a reboot in Windows.
    That's why you have a cluster. You can take one leg down, the other(s) will still serve requests. Service availability is the key not server availability. Try setting up a *nix cluster and you'll need to do the same if you want/need to update.

    If I said set up a Free BSD server, hire a good UNIX coder, and basically take the Kernel down to NOTHING but what you need to boot, and then basically hack a Web Server directly into the Kernel telling it to drop ALL packets that aren't web traffic, you have a machine that is going to be mighty hard to break into since it's nothing but a Kernel and a Server hacked into it and the only packets it's ging to let through are requests from a web browser asking for the web page.
    There's no "need" to take a part the Windows kernel. It's a hybrid kernel (mainly micro but with some monolithic trades) meaning it's already as small as possible. Linux and BSD have a monolithic kernel, everything but the kitchensink needs to be build into it.

    The reason to do this (hack the webserver into the kernel) is performance, not security. Performance will be enhanced because there's no need to switch context between user and kernel mode. It actually makes things LESS secure because a bug will take down everything (a nice fat kernel panic). Exploiting that bug will get you into kernel mode instantly. Not really what you want if security is essential.
    Last edited by SirDice; February 29th, 2008 at 07:44 AM.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  2. #12
    AO BOFH: Luser Abuser BModeratorFH gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    OK maybe I'm not saying it right, but I know for a fact you can make a box a hell of a lot more secure stripping it down to a service and a Kernel.

    I'll check in the morning because there is ONE person I know personally who does this at all. I can probably find links online to it but I'd rather check with the one person I actually know who does this.

    I'm obviously not describing it properly.

    Also, as I last read, the Nt Kernel isn't true Micro. It's Hybrid.
    Kill the lights, let the candles burn behind the pumpkins’ mischievous grins, and let the skeletons dance. For one thing is certain, The Misfits have returned and once again everyday is Halloween.The Misfits FreeBSD
    Cannibal Holocaust
    SuSE Linux
    Slackware Linux

  3. #13
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    I'd love to see how he does it
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  4. #14
    AO BOFH: Luser Abuser BModeratorFH gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    Me too because I can't find ONE link right now when I used to have one saved. I know the basic process is stripping the whole system down to nothing. Pretty much you hack the Kernel to nothing but what you need to boto hardware and NOTHING else, and pop the server right into it to only allow web traffic on whatever port it is you want it to allow and tell it to drop everything else... And for the life of me I can't find the damned web page that I had read about it on.

    I've only heard of it being done twice. Once was for some porn site that kept getting broken into, they paid a Kernel coder a crap load of cash to do it and didn't once ever have an attack again nor did they update the thing ever again and it ran for over 7 years.

    The other is more higher end. Of course I can't find it now that I actually need to so I'll just have to wait until they get up in the morning.

    I can try to keep looking but I'm probably not going to be sleeping any time soon, Wife had a panic attack so we're both up and after my little trip to the ER yesterday neither of us are having the best day ever.

    That's actually pissing me off because I can't remember where it was where it was even talked about, I tried google and searching for the exact terms, then adding in + this and + that but it still didn't bring up the results.
    Kill the lights, let the candles burn behind the pumpkins’ mischievous grins, and let the skeletons dance. For one thing is certain, The Misfits have returned and once again everyday is Halloween.The Misfits FreeBSD
    Cannibal Holocaust
    SuSE Linux
    Slackware Linux

  5. #15
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    Still, IMO shoving everything into the kernel is a bad idea, security wise. In an ideal world this could work, in that ideal world there are no software bugs. We all know in reality bugs do exist and it's just a matter of time before someone finds it. As been said before, security needs a layered approach. So a fault in one layer doesn't bring down the whole system.

    Yes, you would remove remove everything you don't need (hardening). But this is to prevent getting bitten by bug in a part you're not actually using. Keeping it clean means you can focus on only the parts you really use. Still, these parts can contain bugs and you need to build your system expecting one to bite you.

    (I hope the wife's ok? Get some sleep! )
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  6. #16
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    I say throw all of those "solutions" in the garbage.

    Here is why.

    1) AV is a legacy solution. It is comepletly useless in the current and near future threat landscapes.
    2) Firewalls suggest that there is such thing as trusted networks. No such thing anymore.
    3) IDS doesn't do much for me when criminals have moved over to encryption and/or moving data in normal traffic streams with stego, etc. Besides, knowing something after the fact isn't that helpful.

    I say harden your systems to exist in hostile environments. The classic definition of a network as you know it will be extinct in 5 years. Think cloud.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  7. #17
    Junior Member
    Join Date
    Feb 2008
    Posts
    6
    Quote Originally Posted by SirDice
    Service availability is the key not server availability.
    SirDice,

    Can Service(s) be available without the Server availability? The only reason I ask this question is, because I am puzzled.

    Thankyou in advance if you could explain what you meant?

    Cheers
    R.o.P.E

  8. #18
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    Quote Originally Posted by Residents.of.Planet.Earth
    Can Service(s) be available without the Server availability? The only reason I ask this question is, because I am puzzled.
    This is one way to do it:
    http://en.wikipedia.org/wiki/High-availability_cluster
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  9. #19
    Junior Member
    Join Date
    Feb 2008
    Posts
    6
    Quote Originally Posted by SirDice
    SirDice,

    Thankyou for the link. I recognize that the subject matter (Clusters) is complex to my understanding and comprehension, but I think I get a picture of how Service(s) can be made available in High Availability Clusters with the help of redundant nodes, in case a particular node detects a hardware/software failure. The failing node then restarts the applications on the redundant node.

    Very interesting subject.

    Cheers
    R.o.P.E

  10. #20
    Banned
    Join Date
    Jan 2008
    Posts
    605
    and basically take the Kernel down to NOTHING but what you need to boot, and then basically hack a Web Server directly into the Kernel
    Just the kernel... so this wouldn't support any server-side scripting at all, right?

Similar Threads

  1. Windows Error Messages
    By cheyenne1212 in forum Miscellaneous Security Discussions
    Replies: 7
    Last Post: February 1st, 2012, 01:51 PM
  2. Ethical Hacking!
    By E5C4P3 in forum AntiOnline's General Chit Chat
    Replies: 33
    Last Post: January 16th, 2008, 11:40 PM
  3. The history of the Mac line of Operating systems
    By gore in forum Operating Systems
    Replies: 3
    Last Post: March 7th, 2004, 07:02 AM
  4. NEWS: This weeks Security News 2/5/03
    By xmaddness in forum Miscellaneous Security Discussions
    Replies: 0
    Last Post: February 5th, 2003, 08:56 PM
  5. NEWS: This Week in Security
    By xmaddness in forum Miscellaneous Security Discussions
    Replies: 1
    Last Post: July 18th, 2002, 04:36 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •